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Abstract 

Wiener's attack is a well-known polynomial-time attack on a RSA 
cryptosystem with small secret decryption exponent d, which works if 
d < n 0,25 , where n = pq is the modulus of the cryptosystem. Namely, 
in that case, d is the denominator of some convergent Pm/lm of the 
continued fraction expansion of e/n, and therefore d can be computed 
efficiently from the public key (n, e). 

There are several extensions of Wiener's attack that allow the RSA 
cryptosystem to be broken when d is a few bits longer than n ' 25 . They 
all have the run-time complexity (at least) 0(D 2 ), where d = Dn ' 25 . 
Here we propose a new variant of Wiener's attack, which uses results 
on Diophantine approximations of the form \a — p/q\ < c/q 2 , and 
"meet-in-the-middle" variant for testing the candidates (of the form 
rq m+ i + sq m ) for the secret exponent. This decreases the run-time 
complexity of the attack to 0(Dlog(D)) (with the space complexity 
0{D)). 



1 Introduction 

The most popular public key cryptosystem in use today is the RSA cryp- 
tosystem, introduced by Rivest, Shamir, and Adleman [H]. Its security is 
based on the intractability of the integer factorization problem. 

The modulus n of a RSA cryptosystem is the product of two large primes 
p and q. The public exponent e and the secret exponent d are related by 

ed = 1 (mod (f(n)), (1) 



2000 Mathematics Subject Classification: Primary 94A60; Secondary 11A55, 11J70. 
Key words: RSA cryptosystem, continued fractions, cryptanalysis 



1 



where (p(n) — (p — l)(g — 1). In a typical RSA cryptosystem, p and q have 
approximately the same number of bits, while e < n. The encryption and 
decryption algorithms are given by C = M e mod n, M = C d mod n. 

To speed up the RSA decryption one may try to use small secret de- 
cryption exponent d. The choice of a small d is especially interesting when 
there is a large difference in computing power between two communicating 
devices, e.g. in communication between a smart card and a larger computer. 
In this situation, it would be desirable that the smart card has a small secret 
exponent, while the larger computer has a small public exponent, to reduce 
the processing required in the smart card. 

In 1990, Wiener [13] described a polynomial time algorithm for breaking 
a typical (i.e. p and q are of the same size and e < n) RSA cryptosystem if 
the secret exponent d has at most one-quarter as many bits as the modulus 
n. From (TjQ) it follows that there is an integer k such that ed — kip(n) = 1. 
Since (f(n) ~ n, we have that § « ^ Wiener's attack is usually described in 
the following form (see [21 [9]): 

If p < q < 2p, e < n and d < \\fn, then d is the denominator of some 
convergent of the continued fraction expansion of - . 

Indeed, under these assumptions it is easy to show that 

e k 
n d 

By the classical Legendre's theorem, | is some convergent ^ of the continued 
fraction expansion of -, and therefore d can be computed efficiently from 
the public key (n, e) . Namely, the total number of convergents is of order 
O(logn), and each convergent can be tested in polynomial time. 

In 1997, Verheul and van Tilborg [T2] proposed an extension of Wiener's 
attack that allows the RSA cryptosystem to be broken when d is a few 
bits longer than n a25 . For d > n 25 their attack needs to do an exhaustive 
search for about 2t + 8 bits (under reasonable assumptions on involved partial 
convergents), where t = log 2 (d/n ' 25 ). 

In jl], we proposed a slight modification of the Verheul and van Tilborg 
attack, based on Worley's result on Diophantine approximations [Hj, which 
implies that all rationals | satisfying the inequality 

P 

a 

Q 




c 



(2) 
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for a positive real number c, have the form 

p _ rp m+1 ± sp m 
q rq m+1 ± sq m 

for some m > — 1 and nonnegative integers r and s such that rs < 2c. It has 
been shown recently in [5J that Worley's result is sharp, in the sense that the 
condition rs < 2c cannot be replaced by rs < (2 — e)c for any e. 

In both mentioned extensions of Wiener's attack, the candidates for the 
secret exponent are of the form d = rq m+ i + sq m . Then we test all possibilities 
for d. The number of possibilities is roughly the product of the number 
of possibilities for r and the number of possibilities for s, which is 0(D 2 ), 
where d = Dn ' 25 . More precisely, the number of possible pairs (r, s) in 
the Verheul and van Tilborg attack is 0(D 2 A 2 ), where A = maxja^ : % = 
m+ 1, m + 2, m + 3}, while in our variant the number of pairs is 0(D 2 log A) 
(and also 0(D 2 log D)). 

Another modification of the Verheul and van Tilborg attack has been 
recently proposed by Sun, Wu an Chen [1 1 J . It requires (heuristically) an 
exhaustive search for about 2t — 10 bits, so its complexity is also 0(D 2 ). 
We cannot expect drastic improvements here, since, by a result of Steinfeld, 
Contini, Wang and Pieprzyk [TU], there does not exist an attack in this class 
with subexponential running time. 

Boneh and Durfee [5] and Blomer and May [T] proposed attacks based 
on Coppersmith's lattice-based technique for finding small roots of modular 
polynomials equations using LLL- algorithm. The attacks work if d < n ' 292 . 
The conjecture is that the right bound below which a typical version of RSA 
is insecure is d < n 0,5 . 

In the present paper, we propose a new variant of Wiener's attack. It 
also uses continued fractions and searches for candidates for the secret key 
in the form d = rq m+ i + sq m . However, the searching phase of this variant is 
significantly faster. Its complexity is 0(-D log -D), and it works efficiently for 
d < 10 30 ra ' 25 . Although this bound is asymptotically weaker than the bounds 
in the above mentioned attacks based on the LLL-algorithm (note however 
that these bounds are not strictly proved since Coppersmith's theorem in the 
bivariate case is only a heuristic result - see also [6j [7]), for practical values 
of n (e.g. for 1024-bits) these bounds are of comparable size. 
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2 The Verheul and van Tilborg attack 



In this section we briefly describe the Verheul and van Tilborg attack [12] 
and its modification from [I]. 

We assume that p < q < 2p and e < n. Then it is easy to see that 

e k 2.122e 

- - - < ^. 4 

n a nJn 



Let m be the largest (odd) integer satisfying — ^ > 2 n ^ e . Verheul and van 
Tilborg proposed to search for § among the fractions of the form rp "' +1 "|" spm . 
This leads to the system 

rp m+1 + sp m = k, 
rq m+1 + sq m = d. 

The determinant of the system satisfies \p m +iq m — q m +iPm\ = 1, and therefore 
the system has (positive) integer solutions: 

r = dp m kq m , 

s = kq m+ \ — dp m+ i. 

If r and s are small, then they can be found by an exhaustive search. Let 
[ao; a±, ci2, ■ ■ ■} be the continued fraction expansion of e/n and D = d/n ' 25 . 
In [1], the following upper bounds for r and s were derived: 

r < max{v/2.122(a m+3 + 2)(a m+2 + 1)D, v / 2.122(a m+2 + 2)D}, 
s < max{2 v /2.122(a m+3 + 2) J D, ^/2.122(a m+2 + 2)(a m+1 + 1)£>}. 

The modified attack proposed in [1] searches for | among the fractions of 
the forms rPm+1 + spm , rpm+2 ~ gpm+1 and rpm+3 + sPm+2 . It results with bounds for 
r and s which are (almost) independent on the partial quotients a m 's. Hence, 
in both attacks bounds for r and s are of the form 0(D), but in the case 
of [1] the implied constants are much smaller (indeed, the table in Section H] 
shows that with high probability we have r < 4D and s < 4D). 



3 Testing the candidates 

There are two principal methods for testing candidates for the secret expo- 
nent d. 
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Method I ([13]): Compute p and q, assuming d is the correct guess, 
using the following formulas: 

f(n) = (de — l)/k, p + q = n + 1 — <p(ri), 

(q - p) 2 — (p + q) 2 - An, 

p+q q—p p+q q—p 

P = ~2 2"' q = — + —- 

Method II (P Chapter 17]): Test the congruence (M e ) d = M(mod n), 
for some random value of M, or simply for M = 2. 

Both methods are very efficient. But in the situation where we have to 
test huge amount of candidates for d of the form rq m+ i + sq m , there is a 
significant difference between them. With the Method I it seems that we 
cannot avoid testing separately all possible pairs (r, s) . On the other hand, 
here we present a new idea, which is to apply "meet-in-the-middle" to the 
Method II. 

We want to test whether 

2 e{r qm+1+sqm ) ^ 2 ( m()d n y ^ 

Note that m is (almost) fixed. Indeed, let m! be the largest odd integer such 
that 

p m > e 2.122e 

— > - + 

q m > n n^/n 

Then m G {mf, m! + 1, m' + 2} (see [1] for details). 

Let 2 eqm+1 mod n = a, (2 eqm )~ 1 mod n = b. Then we test the congruence 

a r = 2b s (mod n). (6) 

We can do it by computing a r mod n for all r, sorting the list of results, 
and then computing 26 s mod n for each s one at a time, and checking if the 
result appears in the sorted list. 

This decreases the time complexity of the testings phase to 0(D\ogD) 
(with the space complexity 0(D)). 
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4 Implementation issues and improvements 



The theoretic base for the extension of Wiener's attack is Worley's theorem 
on Diophantine approximations of the form (J2J). We have already mentioned 
a result from [5] which shows that Worley's result is in some sense the best 
possible. However, some improvements are possible if we consider unsymmet- 
rical variants of Worley's result (with different bounds on r and s). Roughly 
speaking, in solutions of (jSJ) in form ([3]), if r < s then we may take rs < c 
instead of rs < 2c. Due to such unsymmetrical results, a space-time tradeoff 
might be possible. The following table shows the chance of success of our 
attack for various (symmetrical and unsymmetrical) bounds on r and s. We 
can see that, with the same bound for rs, the better results are obtained for 
smaller bounds on r and larger bounds on s. In the implementations, this 
fact can be used to decrease the memory requirements (up to factor 16). 



bound for r 


bound for s 


chance of success 


AD 


AD 


98% 


2D 


2D 


89% 


D 


D 


65% 


D 


AD 


86% 


AD 


D 


74% 


D/2 


2D 


70% 


2D 


D/2 


47% 


D/A 


AD 


54% 


AD 


D/A 


28% 



In the implementation of the proposed attack, we can use hash func- 
tions instead of sorting. Furthermore, it is not necessary to store all bits 
of a r mod n in the hash table. Indeed, values of a r mod n are from the 
set {0, 1, . . . ,n}, and the number of r's is typically much smaller than n. 
Therefore, around 2 log 2 D stored bits will suffice in order to avoid too many 
accidental collisions. Note that a reasonable number of collisions is not big 
problem here, since each such collision can be efficiently tested by Method I. 
Hash tables can be used to take into account the condition gcd(r, s) — 1. This 
condition was easy to use in brute- force testing of all possible pairs (r, s), but 
the direct application of our "meet-in-the-middle" variant seemingly ignores 
it. But if we create rows in the hash table according to divisibility properties 
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of exponents r modulo small primes, we may take again an advantage of this 
condition and speed up the algorithm up to 39%. 

We have implemented several variants of the proposed attack in PARI and 
C++, and they work efficiently for values of D up to 2 30 , i.e. for d < 2 30 n a25 . 

For larger values of D the memory requirements become too demanding 
for ordinary computers. 

The following table compares this bound with the bound of d in the best 
known attacks on RSA with small secret exponent based on LLL-algorithm. 



log 2 n 


log 2 (2 30 n - 25 ) 


log 2 (n°- 292 ) 


512 


158 


150 


768 


222 


224 


1024 


286 


299 


2048 


542 


598 



The attack can be also slightly improved by using better approximations 
to i e -S- instead of * Namely, 

e k 
n + 1 — 2y/n d 

Comparing fl2J) with (TjJ, we see that by replacing ^ by n+1 l 2 ^/E we can S a i n 
the factor 4 in bounds for r and s, so decreasing both, time and memory 
requirements. 

With these improvements, for 1024-bits RSA modulus n, the range in 
which our attack can be applied becomes comparable and competitive with 
best known attacks based on the LLL-algorithm. 
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